The Agent Skills Directory

[COMMAND_EXECUTION] (LOW): The validate-config.sh script executes the esphome command as a subprocess. While it uses proper shell quoting for the filename argument to prevent basic command injection, the script's core purpose is to invoke a complex tool that processes user-provided YAML files.
[PROMPT_INJECTION] (LOW): The configuration templates use string interpolation (e.g., ${friendly_name}) within C++ lambda blocks. This creates an indirect prompt injection surface where unsanitized user input could lead to arbitrary C++ code being injected into the firmware during compilation. Evidence: Ingestion points: substitution variables in YAML templates; Boundary markers: C++ string literals; Capability inventory: C++ firmware compilation and execution; Sanitization: Absent in the provided templates.
[EXTERNAL_DOWNLOADS] (LOW): The display-node.yaml template references Google Fonts (gfonts://), which is a trusted external source. The skill also relies on the esphome Python package, a standard dependency for this use case.
[DATA_EXFILTRATION] (SAFE): The skill correctly implements the !secret directive for WiFi credentials, API encryption keys, and OTA passwords, ensuring that no sensitive data is hardcoded within the configuration files.

esphome-config-helper